At 06:43 AM 7/9/96 +0000, you wrote:
Michael Dillon writes:
On Tue, 9 Jul 1996, Daniel W. McRobb wrote:
There will likely never be a means for a single NSP to track down the real source of spoofed packets using IPv4. Service providers won't be letting other service providers track spoofed packets through their network.
Why not? Don't telcos do this? Or if your answer is that telcos only do it for the police and not for each other, then my question would be why can't we form an Internet equivalent, maybe affiliated with something like CERT, that can make these requests and with whom NSP's would cooperate.
What sort of incentive or penalty do you think would enable this cooperation?
Nevin
These garbage packets are flooding through somebodies network to get to the target. I'd think it would benefit the intervening operators to eliminate traffic tthat is harmful, probably illegal, and wasting the resource they sell, bandwidth. Doug Stanfield "The significant problems we face cannot be solved Oceanic Cable at the same level of thinking we were at when we Project Engineer created them." - Albert Einstein dougs@oceanic.com (808) 625-8455 fax (808) 625-5888
In message <199607092210.MAA09327@ns.oceanic.com>, Doug Stanfield writes:
These garbage packets are flooding through somebodies network to get to the target. I'd think it would benefit the intervening operators to eliminate traffic tthat is harmful, probably illegal, and wasting the resource they sell, bandwidth. Doug Stanfield "The significant problems we face cannot be solved Oceanic Cable at the same level of thinking we were at when we Project Engineer created them." - Albert Einstein dougs@oceanic.com (808) 625-8455 fax (808) 625-5888
If the traffic passes through ANS, call the NOC or send e-mail to trouble@ans.net. We can generally tell you where the traffic came into ANS, even after the fact. You then go to the next NOC down the line. Repeat until completed. No it isn't automated and brief attacks would be tough but that the state of things and it has been sufficient. You typically need to go through one or two providers and then a site or campus and maybe department before getting to the source machine. I've only been rarely and mostly peripherally involved in followup but I do remember a number of other providers being extremely cooperative to the point of physically moving workstations to act as sniffers, though they did need to set up monitoring to trace things further. I seem to remember a number of cases that were traced as being recurring cases of badly broken software rather than attacks, like boxes that didn't like multicast and crashed and spewed garbage. This latest incident could be the same. Curtis
participants (2)
-
Curtis Villamizar
-
Doug Stanfield